random oracle model

There are lots of things in cryptography which we would like to be able to prove, but can't. For example, that RSA encryption is secure. No one has ever been able to offer any kind of formal proof that RSA is secure, even with the assumption that factoring is hard.

That is where the random oracle model comes in. Essentially, in this model, you assume certain (untrue) properties about a hash function. If you do that, then you can prove the security of a system. This was used, for example, to show some fairly strong security properties of OAEP and PSS (which are now being standardized in PKCS, IEEE 1363, and elsewhere).

So here is the essence of the model. You have a hash function that takes an arbitrary bit string, and produces a k bit output (for example, with SHA-1, k = 160). But instead of being deterministic, like the hash function really is, you pretend that it is a random oracle. Basically, the hash function is given an input. If it has never seen that input before, it will generate a random k bit string and return it. If it has seen that string before, then it will return the same random string that it returned the last time it saw that input.

This, quite simply, is not how hash functions work in real life; the random oracle's hash function is basically the "best" possible hash function you could have. This is why quite a few people dislike the random oracle model as a tool for proving security. However, given the choice between something provable in the random oracle model, and a completely ad-hoc solution, the decision is strongly towards the random oracle based solution, because at the very least it provides some kind of formal framework within which we can study the system.